EIP-3779: Safer Control Flow for the EVM
Ensure an essential level of safety for EVM code.
Abstract
We define a safe EVM contract as one that cannot encounter an exceptional halting state. In general, we cannot prove safety for Turing-complete programs. But we can prove a useful subset.
This EIP specifies validity rules to ensure that:
Valid contracts will not halt with an exception unless they either
- throw
out of gas
or- recursively overflow stack.
This EIP does not introduce any new opcodes. Rather, it restricts the use of existing and proposed control-flow instructions. The restrictions must be validated at contract initialization time – not at runtime – by the provided algorithm or its equivalent. This algorithm must take time and space near-linear in the size of the contract, so as not to be a denial of service vulnerability.
This specification is entirely semantic. It imposes no further syntax on bytecode, as none is required to ensure the specified level of safety. Ethereum Virtual Machine bytecode is just that -- a sequence of bytes that when executed causes a sequence of changes to the machine state. The safety we seek here is simply to not, as it were, jam up the gears.
Motivation
Safety
For our purposes we define a safe EVM contract as one that cannot encounter an exceptional halting state. From the standpoint of security it would be best if unsafe contracts were never placed on the blockchain. Unsafe code can attempt to overflow stack, underflow stack, execute invalid instructions, and jump to invalid locations.
Unsafe contracts are exploits waiting to happen.
Validating contract safety requires traversing the contract code. So in order to prevent denial of service attacks all jumps, including the existing JUMP
and JUMPI
, and also the other proposed jumps -- RJUMP
, RJUMPI
, RJUMPSUB
and RETURNSUB
-- must be validated at initialization time, and in time and space linear in the size of the code.
Static Jumps and Subroutines
The relative jumps of EIP-4200 and the simple subroutines of EIP-2315 provide a complete set of static control flow instructions:
RJUMP
offset
- Jumps to IP+offset.
RJUMPI
offset
- Jumps if the top of stack is non-zero.
RJUMPSUB
offset
- Pushes IP+1 on the return stack and jumps to IP+offset.
RETURNSUB
- Jumps to the address popped off the return stack.
Note that each jump creates at most two paths of control through the code, such that the complexity of traversing the entire control-flow graph is linear in the size of the code.
Dynamic Jumps
Dynamic jumps, where the destination of a JUMP
or JUMPI
is not known until runtime, are an obstacle to proving validity in linear time -- any jump can be to any destination in the code, potentially requiring time quadratic in the size of code. For this reason we have two real choices.
- Deprecate dynamic jumps. This is easily done:
Define
JUMP
andJUMPI
asINVALID
for the purposes of EOF Code Validation
- Constrain dynamic jumps. This requires static analysis.
Consider the simplest and most common case.
This is effectively a static jump.
Another important use of JUMP
is to implement the return jump from a subroutine. So consider this example of calling and returning from a minimal subroutine:
The return address -RTN_SQUARE
- and the destination address - SQUARE
- are pushed on the stack as constants and remain unchanged as they move on the stack, such that only those constants are passed to each JUMP
. They are effectively static. We can track the motion of constants on the data stack
at validation time, so we do not need unconstrained dynamic jumps to implement subroutines.
The above is the simplest analysis that suffices. A more powerful analysis that takes in more use cases is possible -- slower, but still linear-time.
Validation
We can validate the safety of contracts with a static analysis that takes time and space linear in the size of the code, as shown below. And since we can, we should.
Performance
Validating safe control flow at initialization time has potential performance advantages.
- Static jumps do not need to be checked at runtime.
- Stack underflow does not need to be checked for at runtime.
Specification
Validity
In theory, theory and practice are the same. In practice, they're not. -- Albert Einstein
We define a safe EVM contract as one that cannot encounter an exceptional halting state. We validate safety at initialization time to the extent practical.
Exceptional Halting States
The execution of each instruction is defined in the Yellow Paper as a change to the EVM state that preserves the invariants of EVM state. At runtime, if the execution of an instruction would violate an invariant the EVM is in an exceptional halting state. The Yellow Paper defined five such states.
- Insufficient gas
- More than 1024 stack items
- Insufficient stack items
- Invalid jump destination
- Invalid instruction
A program is safe iff no execution can lead to an exceptional halting state.
We would like to consider EVM programs valid iff they are safe.
In practice, we must be able to validate code in linear time to avoid denial of service attacks. And we must support dynamically-priced instructions, loops, and recursion, which can use arbitrary amounts of gas and stack.
Thus our validation cannot consider concrete computations -- it only performs a limited symbolic execution of the code. This means we will reject programs if we detect any invalid execution paths, even if those paths are not reachable at runtime. And we will count as valid programs that may not always produce correct results.
We can detect only non-recursive stack overflows at validation time, so we must check for the first two states at runtime:
out of gas
and- stack overflow.
The remaining three states we can check at validation time:
- stack underflow,
- invalid jump, and
- invalid instruction.
That is to say:
Valid contracts will not halt with an exception unless they either
- throw
out of gas
or- recursively overflow stack.
Constraints on Valid Code
- Every instruction is valid.
- Every jump is valid:
- Every
JUMP
andJUMPI
is static. - No
JUMP
,JUMPI
,RJUMP
,RJUMPI
, orRJUMPSUB
addresses immediate data.
- Every
- The stacks are always valid:
- The number of items on the
data stack
is always positive, and at most 1024. - The number of items on the
return stack
is always positive, and at most 1024.
- The number of items on the
- The data stack is consistently aligned:
- The number of items on the
data stack
between the currentstack pointer
and thestack pointer
on entry to the most recent basic block is the same for each execution of a byte_code.
- The number of items on the
We define a JUMP
or JUMPI
instruction to be static if its jumpsrc
argument was first placed on the stack via a PUSH…
and that value has not changed since, though it may have been copied via a DUP…
or SWAP…
.
The RJUMP
, RJUMPI
and RJUMPSUB
instructions take their destination as an immediate argument, so they are static.
Taken together, these rules allow for code to be validated by traversing the control-flow graph, in time and space linear in the size of the code, following each edge only once.
Note: The definition of 'static' for JUMP
and JUMPI
is the bare minimum needed to implement subroutines. Deeper analyses could be proposed that would validate a larger and probably more useful set of jumps, at the cost of more expensive (but still linear) validation.
Rationale
Demanding static destinations for all jumps means that all jump destinations can be validated at initialization time, not runtime.
Bounding the stack pointers catches all data stack
and non-recursivereturn stack
overflows.
Requiring a consistently aligneddata stack
prevents stack underflow. It can also catch such errors as misaligned stacks due to irreducible control flows and calls to subroutines with the wrong number of arguments.
Backwards Compatibility
These changes affect the semantics of EVM code – the use of JUMP
, JUMPI
, and the stack are restricted, such that some code that would otherwise run correctly will nonetheless be invalid EVM code.
Reference Implementation
The following is a pseudo-Go implementation of an algorithm for predicating code validity. An equivalent algorithm must be run at initialization time.
This algorithm performs a symbolic execution of the program that recursively traverses the code, emulating its control flow and stack use and checking for violations of the rules above.
It runs in time equal to O(vertices + edges)
in the program's control-flow graph, where edges represent control flow and the vertices represent basic blocks -- thus the algorithm takes time proportional to the size of the code.
Note: All valid code has a control-flow graph that can be traversed in time and space linear in the length of the code. That means that some other static analyses and code transformations that might otherwise require quadratic time can also be written to run in near-linear time, including one-pass and streaming compilers.
Validation Function
Note: This function is a work in progress, and the version below is known to be incorrect.
For simplicity's sake we assume that jumpdest analysis has been done and that we have some helper functions.
isValidInstruction(pc)
returns true ifpc
points at a valid instructionisValidJumpdest(dest)
returns true ifdest
is a valid jumpdestimmediateData(pc)
returns the immediate data for the instruction atpc
.advancePC(pc)
returns nextpc
, skipping any immediate data.removed_items(pc)
returns the number of items removed from thedataStack
by the instruction atpc
.added_items(pc)
returns the number of items added to thedataStack
by the instruction atpc
.
Security Considerations
This EIP is intended to ensure an essential level of safety for EVM code deployed on the blockchain.
Copyright
Copyright and related rights waived via CC0.